Senate
Study
Bill
3040
-
Introduced
SENATE/HOUSE
FILE
_____
BY
(PROPOSED
ATTORNEY
GENERAL
BILL)
A
BILL
FOR
An
Act
modifying
provisions
applicable
to
personal
information
1
security
breach
notification
requirements,
and
making
2
penalties
applicable.
3
BE
IT
ENACTED
BY
THE
GENERAL
ASSEMBLY
OF
THE
STATE
OF
IOWA:
4
TLSB
5294DP
(6)
85
rn/nh
S.F.
_____
H.F.
_____
Section
1.
Section
715C.1,
subsection
1,
Code
2014,
is
1
amended
to
read
as
follows:
2
1.
“Breach
of
security”
means
unauthorized
acquisition
3
of
personal
information
maintained
in
computerized
form
by
4
a
person
that
compromises
the
security,
confidentiality,
or
5
integrity
of
the
personal
information.
“Breach
of
security”
6
also
means
unauthorized
acquisition
of
personal
information
7
maintained
by
a
person
in
any
medium,
including
on
paper,
that
8
was
transferred
by
the
person
to
that
medium
from
computerized
9
form.
Good
faith
acquisition
of
personal
information
by
a
10
person
or
that
person’s
employee
or
agent
for
a
legitimate
11
purpose
of
that
person
is
not
a
breach
of
security,
provided
12
that
the
personal
information
is
not
used
in
violation
of
13
applicable
law
or
in
a
manner
that
harms
or
poses
an
actual
14
threat
to
the
security,
confidentiality,
or
integrity
of
the
15
personal
information.
16
Sec.
2.
Section
715C.1,
subsection
5,
Code
2014,
is
amended
17
to
read
as
follows:
18
5.
“Encryption”
means
the
use
of
an
algorithmic
process
19
to
transform
data
into
a
form
in
which
the
data
is
rendered
20
unreadable
or
unusable
without
the
use
of
a
confidential
21
process
or
key.
For
purposes
of
this
chapter,
personal
22
information
shall
not
be
considered
encrypted
when
a
key
to
23
unencrypt
the
information
has
been
acquired
in
the
breach
of
24
security
by
which
the
personal
information
was
acquired.
25
Sec.
3.
Section
715C.1,
subsection
11,
paragraphs
c
and
d,
26
Code
2014,
are
amended
to
read
as
follows:
27
c.
Financial
account
number,
credit
card
number,
or
debit
28
card
number
alone
or
in
combination
with
any
required
security
29
code,
access
code,
or
password
that
would
permit
access
to
an
30
individual’s
financial
account.
31
d.
Unique
electronic
identifier
or
routing
code,
alone
or
in
32
combination
with
any
required
security
code,
access
code,
or
33
password
that
would
permit
access
to
an
individual’s
financial
34
account.
35
-1-
LSB
5294DP
(6)
85
rn/nh
1/
6
S.F.
_____
H.F.
_____
Sec.
4.
Section
715C.1,
subsection
12,
Code
2014,
is
amended
1
to
read
as
follows:
2
12.
“Redacted”
means
altered
or
truncated
so
that
no
more
3
than
five
digits
of
a
social
security
number
or
the
last
4
four
digits
of
other
numbers
designated
in
section
715A.8,
5
subsection
1
,
paragraph
“a”
,
are
accessible
as
part
of
the
data.
6
For
purposes
of
this
chapter,
personal
information
shall
not
be
7
considered
redacted
when
a
key
to
unredact
the
information
has
8
been
acquired
in
the
breach
of
security
by
which
the
personal
9
information
was
acquired.
10
Sec.
5.
Section
715C.2,
Code
2014,
is
amended
to
read
as
11
follows:
12
715C.2
Security
breach
——
consumer
notification
requirements
13
——
remedies.
14
1.
Any
person
who
owns
or
licenses
computerized
data
that
15
includes
a
consumer’s
personal
information
that
is
used
in
16
the
course
of
the
person’s
business,
vocation,
occupation,
17
or
volunteer
activities
and
that
was
subject
to
a
breach
18
of
security
shall
give
notice
of
the
breach
of
security
19
following
discovery
of
such
breach
of
security,
or
receipt
of
20
notification
under
subsection
2
,
to
any
consumer
whose
personal
21
information
was
included
in
the
information
that
was
breached.
22
The
consumer
notification
shall
be
made
in
the
most
expeditious
23
manner
possible
and
without
unreasonable
delay,
consistent
24
with
the
legitimate
needs
of
law
enforcement
as
provided
in
25
subsection
3
,
and
consistent
with
any
measures
necessary
to
26
sufficiently
determine
contact
information
for
the
affected
27
consumers,
determine
the
scope
of
the
breach,
and
restore
the
28
reasonable
integrity,
security,
and
confidentiality
of
the
29
data.
30
2.
Any
person
who
maintains
or
otherwise
possesses
personal
31
information
on
behalf
of
another
person
shall
notify
the
owner
32
or
licensor
of
the
information
of
any
breach
of
security
33
immediately
following
discovery
of
such
breach
of
security
if
a
34
consumer’s
personal
information
was
included
in
the
information
35
-2-
LSB
5294DP
(6)
85
rn/nh
2/
6
S.F.
_____
H.F.
_____
that
was
breached.
1
3.
The
consumer
notification
requirements
of
this
section
2
may
be
delayed
if
a
law
enforcement
agency
determines
that
3
the
notification
will
impede
a
criminal
investigation
and
4
the
agency
has
made
a
written
request
that
the
notification
5
be
delayed.
The
notification
required
by
this
section
shall
6
be
made
after
the
law
enforcement
agency
determines
that
the
7
notification
will
not
compromise
the
investigation
and
notifies
8
the
person
required
to
give
notice
in
writing.
9
4.
For
purposes
of
this
section
,
notification
to
the
10
consumer
may
be
provided
by
one
of
the
following
methods:
11
a.
Written
notice
to
the
last
available
address
the
person
12
has
in
the
person’s
records.
13
b.
Electronic
notice
if
the
person’s
customary
method
of
14
communication
with
the
consumer
is
by
electronic
means
or
is
15
consistent
with
the
provisions
regarding
electronic
records
and
16
signatures
set
forth
in
chapter
554D
and
the
federal
Electronic
17
Signatures
in
Global
and
National
Commerce
Act,
15
U.S.C.
18
§
7001.
19
c.
Substitute
notice,
if
the
person
demonstrates
that
20
the
cost
of
providing
notice
would
exceed
two
hundred
fifty
21
thousand
dollars,
that
the
affected
class
of
consumers
to
be
22
notified
exceeds
three
hundred
fifty
thousand
persons,
or
23
if
the
person
does
not
have
sufficient
contact
information
24
to
provide
notice.
Substitute
notice
shall
consist
of
the
25
following:
26
(1)
Electronic
mail
notice
when
the
person
has
an
electronic
27
mail
address
for
the
affected
consumers.
28
(2)
Conspicuous
posting
of
the
notice
or
a
link
to
the
29
notice
on
the
internet
site
of
the
person
if
the
person
30
maintains
an
internet
site.
31
(3)
Notification
to
major
statewide
media.
32
5.
Notice
pursuant
to
this
section
shall
include,
at
a
33
minimum,
all
of
the
following:
34
a.
A
description
of
the
breach
of
security.
35
-3-
LSB
5294DP
(6)
85
rn/nh
3/
6
S.F.
_____
H.F.
_____
b.
The
approximate
date
of
the
breach
of
security.
1
c.
The
type
of
personal
information
obtained
as
a
result
of
2
the
breach
of
security.
3
d.
Contact
information
for
consumer
reporting
agencies.
4
e.
Advice
to
the
consumer
to
report
suspected
incidents
5
of
identity
theft
to
local
law
enforcement
or
the
attorney
6
general.
7
6.
Notwithstanding
subsection
1
,
notification
is
not
8
required
if,
after
an
appropriate
investigation
or
after
9
consultation
with
the
relevant
federal,
state,
or
local
10
agencies
responsible
for
law
enforcement,
the
person
determined
11
that
no
reasonable
likelihood
of
financial
harm
to
the
12
consumers
whose
personal
information
has
been
acquired
has
13
resulted
or
will
result
from
the
breach.
Such
a
determination
14
must
be
documented
in
writing
and
the
documentation
must
be
15
maintained
for
five
years.
16
7.
This
section
does
not
apply
to
any
of
the
following:
17
a.
A
person
who
complies
with
notification
requirements
or
18
breach
of
security
procedures
that
provide
greater
protection
19
to
personal
information
and
at
least
as
thorough
disclosure
20
requirements
than
that
provided
by
this
section
pursuant
to
21
the
rules,
regulations,
procedures,
guidance,
or
guidelines
22
established
by
the
person’s
primary
or
functional
federal
23
regulator.
24
b.
A
person
who
complies
with
a
state
or
federal
law
25
that
provides
greater
protection
to
personal
information
and
26
at
least
as
thorough
disclosure
requirements
for
breach
of
27
security
or
personal
information
than
that
provided
by
this
28
section
.
29
c.
A
person
who
is
subject
to
and
complies
with
regulations
30
promulgated
pursuant
to
Title
V
of
the
Gramm-Leach-Bliley
Act
31
of
1999,
15
U.S.C.
§
6801
–
6809.
32
8.
Any
person
who
owns
or
licenses
computerized
data
that
33
includes
a
consumer’s
personal
information
that
is
used
in
34
the
course
of
the
person’s
business,
vocation,
occupation,
35
-4-
LSB
5294DP
(6)
85
rn/nh
4/
6
S.F.
_____
H.F.
_____
or
volunteer
activities
and
that
was
subject
to
a
breach
of
1
security
shall
give
written
notice
of
the
breach
of
security
2
following
discovery
of
such
breach
of
security,
or
receipt
3
of
notification
under
subsection
2,
to
the
director
of
the
4
consumer
protection
division
of
the
office
of
the
attorney
5
general
prior
to
giving
notice
of
the
breach
of
security
to
6
any
consumer.
The
requirement
to
provide
notice
pursuant
to
7
this
subsection
shall
not
be
subject
to
a
request
to
delay
as
8
provided
in
subsection
3,
and
shall
apply
regardless
of
whether
9
the
person
is
otherwise
excused
from
giving
notice
to
consumers
10
pursuant
to
subsection
6
or
7.
11
8.
9.
a.
A
violation
of
this
chapter
is
an
unlawful
12
practice
pursuant
to
section
714.16
and,
in
addition
to
the
13
remedies
provided
to
the
attorney
general
pursuant
to
section
14
714.16,
subsection
7
,
the
attorney
general
may
seek
and
obtain
15
an
order
that
a
party
held
to
violate
this
section
pay
damages
16
to
the
attorney
general
on
behalf
of
a
person
injured
by
the
17
violation.
18
b.
The
rights
and
remedies
available
under
this
section
are
19
cumulative
to
each
other
and
to
any
other
rights
and
remedies
20
available
under
the
law.
21
EXPLANATION
22
The
inclusion
of
this
explanation
does
not
constitute
agreement
with
23
the
explanation’s
substance
by
the
members
of
the
general
assembly.
24
This
bill
relates
to
notification
requirements
applicable
25
to
security
breaches
involving
consumer
personal
information
26
contained
in
Code
chapter
715C.
27
The
bill
modifies
several
definitions
contained
in
the
28
Code
chapter.
The
bill
includes
within
the
definition
of
a
29
“breach
of
security”
the
unauthorized
acquisition
of
personal
30
information
maintained
by
a
person
in
any
medium,
including
on
31
paper,
that
was
transferred
by
the
person
to
that
medium
from
32
computerized
form.
33
The
definitions
of
“encryption”
and
“redacted”
are
amended
34
to
add
that
personal
information
shall
not
be
considered
35
-5-
LSB
5294DP
(6)
85
rn/nh
5/
6
S.F.
_____
H.F.
_____
encrypted
or
redacted
when
a
key
to
unencrypt
or
unredact
the
1
information
has
been
acquired
in
the
breach
of
security
by
2
which
the
personal
information
was
acquired.
3
Currently,
personal
information
is
defined
in
the
Code
4
chapter
to
include
an
individual’s
first
name
or
first
initial
5
and
last
name
together
with
a
financial
account
number,
credit
6
card
number,
debit
card
number,
or
unique
electronic
identifier
7
or
routing
code,
in
combination
with
any
required
security
8
code,
access
code,
or
password
that
would
permit
access
to
9
an
individual’s
financial
account.
The
bill
provides
that
10
a
financial
account
number,
credit
card
number,
debit
card
11
number,
or
unique
electronic
identifier
or
routing
code
alone,
12
or
in
addition
to
any
required
security
code,
access
code,
or
13
password
that
would
permit
access
to
an
individual’s
financial
14
account,
may
be
considered
personal
information
when
combined
15
with
an
individual’s
first
name
or
first
initial
and
last
name.
16
The
bill
also
requires
a
person
subject
to
the
chapter’s
17
consumer
notification
requirements
to
notify
the
director
of
18
the
consumer
protection
division
of
the
office
of
the
attorney
19
general
prior
to
giving
the
required
notice
of
the
breach
20
of
security
to
any
consumer.
The
bill
provides
that
this
21
requirement
shall
not
be
subject
to
delay
upon
the
request
of
22
law
enforcement
personnel
otherwise
applicable
to
consumer
23
notification,
and
further
shall
apply
regardless
of
whether
a
24
person
is
otherwise
excused
from
giving
notice
pursuant
to
the
25
chapter’s
provisions.
Existing
penalty
provisions
regarding
26
unlawful
practice
and
damages
for
violations
of
the
consumer
27
notification
requirements
would
be
applicable
to
the
failure
28
to
provide
notice
of
a
breach
of
security
to
the
director
of
29
the
consumer
protection
division
of
the
office
of
the
attorney
30
general.
31
-6-
LSB
5294DP
(6)
85
rn/nh
6/
6